Have something to say?

Ready to be published? LXer is read by around 350,000 individuals each month, and is an excellent place for you to publish your ideas, thoughts, reviews, complaints, etc. Do you have something to say to the Linux community?

cPanel Exploit Addendum

Last week we wrote about a 0-day exploit with cPanel. Now that all the cPanel servers have auto-updated, and patched the vulnerability, they have released additional info on the security update. They actually fixed 2 major security issues. Both issues were labeled as "important", which seems to be one of the highest, if not the high classification, and includes among other things remote code execution exploits, which thankfully were not the type of these 2 exploits.

Last week we wrote about a 0-day exploit with cPanel. Now that all the cPanel servers have auto-updated, and patched the vulnerability, they have released additional info on the security update. They actually fixed 2 major security issues. Both issues were labeled as "important", which seems to be one of the highest, if not the high classification, and includes among other things remote code execution exploits, which thankfully were not the type of these 2 exploits.

Lets take a look at the two issues in more detail. cPanel did not release a proof of concept on these exploits, and it doesn't appear they are going to, and even if they did it would be difficult to recreate since servers automatically patched themselves for this already. This exploit also has not been posted on their CVE details page, at least not yet: http://www.cvedetails.com/vendor/1766/Cpanel.html

The first exploit has to do with "Apache Piped Log Configuration", introduced in WHM version 11.30, this setting is in WHM (I could not find it in /scripts/easyapache also known as ea3) and under Apache Configuration then Piped Log Configuration. The exploit needs piped logging enabled, and then it will take advantage of an invalidated input bug in the cpanel binary: /usr/local/cpanel/bin/splitlogs The end result allows the attacker to write files to the system.

Splitlogs is used to improve performance and save resources when handling the apache logs, as well as when processing bandwidth usage. For example by using splitlogs, you do not need to restart apache when you close a log file.

I would assume the owner of these files would be root, with writing allowed to root owned directories, and they don't mention, but since its labeled as important, I would assume this allows you to overwrite files as well. Which in some cases, not necessarily with this exploit, will allow you to do things like disable the firewall, or overwrite the hashes in /etc/shadow, allow direct root login, etc.

This would be a local user exploit, for a feature disabled by default, and you'd have to know enough about that function, to test different inputs for splitlogs, to be able to exploit this. Therefore the millions of cPanel users were pretty safe from being a victim of this, especially if you have a dedicated server.

Lets take a look at exploit #2 now. This one is not related to the first one, and this one specifically has to do with Arbitrary Code Execution through cPDAVd. cPDAVd is the cPanel daemon for WebDav, or WebDisk, as its more commonly called. This was introduced in cPanel 11 and allows you do create a "drive" on your desktop to drag and drop your files to, or if you use Linux a mount to copy your files to.

This one is also listed as "important", and specifically has to do with an authenticated user being able to execute code through improperly validated, or sanitized, file names. While not a remote code exploit this one is more serious than the first security issue, as cPDAVd is enabled by default, it allows arbitrary code execution, and it appears this will take standard commands, without the attacker having to form the commands in a segement of shell code.